New Relic interactive application security testing (IAST)
PREVIEW
This feature is currently in preview. To celebrate it, we're offering you a 3-month free trial! The IAST free trial starts the moment you accept the pre-release software terms.
IAST must only be used in a pre-production environment, ideally in a dedicated security environment.
Use of the IAST agent may generate additional billable APM data ingest.
When your application has exploitable vulnerabilities, it means that someone could take advantage of a misconfiguration to access sensitive information. To help prevent that, install our interactive application security testing (IAST).
After you've installed your application, use the APIs from your application so that New Relic can start looking for exploitable vulnerabilities. You can do so by running your own tests against your APIs.
Once you've completed all the steps, click See your data to see an overview of your tested applications.
Manage exploitable vulnerabilities for an application
To manage exploitable vulnerabilities for a specific application, do the following:
Go to one.newrelic.com > All capabilities > IAST > Applications.
Under Tested applications, search for your application or select it.
In the Application vulnerabilities tab, see all the exploitable vulnerabilities found in your application.
one.newrelic.com > All capabilities > IAST > Applications, and select your application.
In the Exploitable vulnerabilities table, select an exploitable vulnerability to explore details about the vulnerability and understand the specifics of how to address it.
one.newrelic.com > All capabilities > IAST > Applications, select your application, and select a vulnerability.
Additionally, in the Application coverage tab in your application window, see how vulnerable each part of your application is.
one.newrelic.com > All capabilities > IAST > Applications, select your application and see the Application coverage tab.
Manage exploitable vulnerabilities for all your applications
To manage all the exploitable vulnerabilities across your application portfolio, do the following:
Go to one.newrelic.com > All capabilities > IAST > Exploitable Vulnerabilities.
one.newrelic.com > All capabilities > IAST > Exploitable Vulnerabilities.
Under Detected exploitable vulnerabilities, select an exploitable vulnerability, regardless of the application it belongs to, and explore details about the vulnerability and understand the specifics of how to address it.
one.newrelic.com > All capabilities > IAST > Exploitable Vulnerabilities, and select a vulnerability.
Fix untested applications
If you have an application in New Relic that hasn't been tested for exploitable vulnerabilities, do the following:
Under Protect untested applications, select the application you want to test or click See all to search for it.
From the Untested applications table, select the application you want to test.
one.newrelic.com > All capabilities > IAST > Protect untested applications > See all.
In the Enable IAST window, follow the steps to update your application configuration so it can be tested for exploitable vulnerabilities.
one.newrelic.com > All capabilities > IAST > Protect untested applications, and select an application.
See the exploitable vulnerabilities coverage for all your applications
In one.newrelic.com > All capabilities > IAST > Coverage, you can see how many of your applications have or haven't been tested for exploitable vulnerabilities, as well as an overview of the health of all your applications.
If you see an application under Untested applications that you want to test for exploitable vulnerabilities, click Set up IAST to fix the untested application.
Go to one.newrelic.com > All capabilities > Query Your Data, and run the following NRQL query:
SELECT*FROM Vulnerability WHERE issueType ='Application Vulnerability'AND appId = {MY_APP_ID}
Troubleshooting
If you don't see your application in one.newrelic.com > All capabilities > IAST > Applications > Tested applications, it could be due to:
an incorrect version of the APM agent. Check the version of your APM agent and upgrade it if needed.
IAST flags being disabled. Check the security configuration, and make sure that IAST flags are enabled for your security agent.
an unexpected error. To see what went wrong, go to the nr-security-home/logs directory and find the [SETP-8] line in the LANGUAGE-security-collector-init.log file.
lack of traffic on the application. Generate some traffic to allow IAST to test your application.
You see your application in one.newrelic.com > All capabilities > IAST > Applications > Tested applications.
You see coverage for the application in one.newrelic.com > All capabilities > IAST > Applications. Select your application and then, the coverage tab.
You see the message Security Agent is now ACTIVE in the security agent log file nr-security-home/logs/LANGUAGE-security-collector.log. Replace LANGUAGE in the filename with the one you used.
You get the OK value for Service stats -> agentActiveStat in the latest log file in nr-security-home/logs/snapshots/.
In the nr-security-home/logs directory, search for the LANGUAGE-security-collector-init.log file. Replace LANGUAGE in the filename with the one you used, and make sure you see these steps:
[STEP-1]: The security agent is starting.
[STEP-2]: The security agent generates a unique identifier. For web socket connection, you'll see Node auth headers.
[STEP-3]: The security agent gathers information about your application.
[STEP-4]: The web socket connection to SaaS validator is established successfully.
[STEP-5]: The security agent threads are started.
[STEP-6]: The application instrumentation is successful.
[STEP-7]: The application receives and applies your policies and configuration.
[STEP-8]: You see a first event sent for validation, which means the security agent started successfully.
Here's an excerpt of a security agent log file LANGUAGE-security-collector-init.log:
Init Log File initiated.
Init Logger configured successfully with level: INFO and rollover on max size 52428800.
2023-05-26 10:45:02 : [8] [New Relic RPM Connection Service] INFO : com.newrelic.api.agent.security.Agent - [STEP-1] => Security agent is starting
2023-05-26 10:45:02 : [8] [New Relic RPM Connection Service] INFO : com.newrelic.api.agent.security.Agent - [STEP-3] => Gathering information about the application
Currently, IAST shows findings only, so you need to go see if your applications has any vulnerabilities.
Go to one.newrelic.com > All capabilities > IAST > Applications > Tested applications, click on the application and then, click on the Application coverage tab to view the application testing efficiency, APIs covered, and methods calls, amongst other data.
If you see your application in New Relic and the security agent successfully started IAST, but you don't see vulnerabilities in one.newrelic.com > All capabilities > IAST, then this could be due to:
Your Application testing efficiency being low. You can check the level of efficiency in one.newrelic.com > All capabilities > IAST > Coverage. Add additional test cases to your application to get a higher level of testing efficiency.
Your application being secure. In this case, your Application testing efficiency in one.newrelic.com > All capabilities > IAST > Coverage is high, but no vulnerabilities are detected.
Your web socket connection being broken. Please check the latest log file in your nr-security-home/logs/snapshots/ folder, and look for the Service stats -> websocket line. The expected value is OK.
Your application's framework or vulnerability category not being supported. See the supported frameworkd for the security agents:
If you're still not sure why you don't see vulnerabilities in IAST, share your application's configuration and logs with our support team.
It's possible that your application shows high traffic and latency for some time as part of IAST. This should resolve in a few minutes when the IAST test is completed.
You can also check the snapshot log file in the nr-security-home/logs/snapshots folder. The log file shows you the status of the security agent, resource usage, and the last five errors.
If your application has the functionality to create files and directories as part of serving an HTTP request, IAST will try to test the code path and hence, create such files and directories. The files, that are created by the application code under the influence of incoming HTTP requests, can't be deleted by the agent.
If you're sure that none of your APIs can create files and directories, share your application's configuration and logs with our support team.
As a part of IAST, the security agent sends new requests to the application that increases the load, resulting in an increase of resource utilization. This IAST analysis can also expose uncaught errors or exceptions in your application.
If the application has crashed due to lack of resources, increase the resources, restart the application, and perform IAST again.
For Golang, make sure that you imported the required instrumentation packages for the libraries and frameworks that your application uses.